Aligning on behavior of prefetch

[noamr]

Request for Mozilla Position on changes to an Existing Web Specification

Mozilla introduced prefetch years ago... Now trying to align it across browsers. The proposal is very similar to what Mozilla already does, with a couple of changes:

• The Accept header for prefetch is defined as the same one that is sent with frame navigation. This prevents double-prefetches with Vary: Accept

• Instead of the custom X-Moz: Prefetch and Purpose: Prefetch we send today, align on Sec-Purpose: Prefetch

• Specification Title:

• Specification or proposal URL: Define link processing for prefetch whatwg/html#8111

• Caniuse.com URL (optional): https://caniuse.com/link-rel-prefetch

• Bugzilla URL (optional): https://bugzilla.mozilla.org/show_bug.cgi?id=1788167

• Mozillians who can provide input (optional):

Other information

[martinthomson]

@bgrins, @mystor, this looks reasonable to me. WDYT?

[smaug----]

Looks reasonable to me too.

[noamr]

Thanks! I wonder what's your view on the related CSP change: w3c/webappsec-csp#582
Tl;dr: instead of having a custom prefetch-src, we use default-src or the least restrictive directive in the policy. This allows using resource hints and exfiltration protection (e.g. default-src 'none') together.

[zcorpan]

I've discussed with @valenting , we think this looks reasonable. Will label as "positive", no need for a dashboard entry.